In every other incarnation of Netscape that is Frames/Javascirpt compatible ( and for that matter IE ) when two frames exist that are the same domain they can access one another. In Netscape 6 this is not the case if the parent window ( frameset definition ) is a different domain than the two child frames, that is the sibling frames cannot access each other if the parent frame is a different domain than the two child frames. Is this due to tightened security intentionally or just a bug? From the way I understand things the file at the following posted location: http://lxr.mozilla.org/seamonkey/source/dom/public/nsDOMPropNames.h lists those objects subject to same-origin checks. Should "window.frames" be listed here? If this is overridden by modifying all.js with the following line: pref("capability.policy.default.window.frames", "allAccess"); then sibling frames can access one another across a parent frame with a different domain exposing only the frames array ( allowing for sites to do checks like top.frames.length to escape being framed ) which poses no security vulnerability. I have not posted a bug on bugzila yet as I am waiting for confirmaiton that this limitation is not intentional. If it is intentional then I think that it should be re-thought since the cross-domain security policy has always been based on limiting access to documents from different domains, the window objects themselves should be fair game except where the window properties expose information about the document, such as read access to window.location. The window objects of a window ( frames ) should be accessible themselves and their properties limited by the afore mentioned document construct. The frames array and accessing a window object reveals no information about the document or content that is meaningful or potentially insecure. Any constructive feedback would be greatly appreciated. -Anthony [EMAIL PROTECTED] Sent via Deja.com http://www.deja.com/ Before you buy.
